diff --git ext/openssl/lib/openssl/ssl.rb ext/openssl/lib/openssl/ssl.rb index ff1d4ef..a96aad0 100644 --- ext/openssl/lib/openssl/ssl.rb +++ ext/openssl/lib/openssl/ssl.rb @@ -174,6 +174,14 @@ module OpenSSL include Nonblock def post_connection_check(hostname) + if peer_cert.nil? + msg = "Peer verification enabled, but no certificate received." + if using_anon_cipher? + msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification." + end + raise SSLError, msg + end + unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname) raise SSLError, "hostname \"#{hostname}\" does not match the server certificate" end @@ -185,6 +193,14 @@ module OpenSSL rescue SSL::Session::SessionError nil end + + private + + def using_anon_cipher? + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + ctx.ciphers.include?(cipher) + end end ## diff --git test/openssl/test_ssl.rb test/openssl/test_ssl.rb index 3eddb0a..e6a77f3 100644 --- test/openssl/test_ssl.rb +++ test/openssl/test_ssl.rb @@ -369,6 +369,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } } + start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + server_connect(port, ctx) { |ssl| + msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \ + "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification." + assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")} + } + } + now = Time.now exts = [ ["keyUsage","keyEncipherment,digitalSignature",true], diff --git test/openssl/utils.rb test/openssl/utils.rb index 1da3bcf..bd936be 100644 --- test/openssl/utils.rb +++ test/openssl/utils.rb @@ -270,12 +270,14 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC ctx_proc = args[:ctx_proc] server_proc = args[:server_proc] ignore_listener_error = args.fetch(:ignore_listener_error, false) + use_anon_cipher = args.fetch(:use_anon_cipher, false) server_proc ||= method(:readwrite_loop) store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher ctx.cert_store = store #ctx.extra_chain_cert = [ ca_cert ] ctx.cert = @svr_cert